Hello,

I was wondering how I could implement pass through authentication. What I
need is to be able to programmatically retrieve a users password so that I
may pass that information along to another website.
Request.ServerVariables("REMOTE_USER") will give me the username how can I
get the password in ASP. If any more information is needed I will provide it
.

Razi

[ Post a follow-up to this message ]

On Wed, 11 Jan 2006 11:00:02 -0800, RaziLevin
<RaziLevin@discussions.microsoft.com> wrote:
[vbcol=seagreen]
>I was wondering how I could implement pass through authentication. What I
>need is to be able to programmatically retrieve a users password so that I
>may pass that information along to another website.
>Request.ServerVariables("REMOTE_USER") will give me the username how can I
>get the password in ASP. If any more information is needed I will provide it.[/vbco
l]

You can't.  There is no way to retrieve a password.  If there were,
what use would passwords be?

Jeff

[ Post a follow-up to this message ]

Only insecure protocols like Basic authentication will give you that
behavior.

Secure protocols never pass the user's password to the server, so you can
never "look it up" nor implicitly delegate from that server to another
server.

I suggest you use secure protocols and mechanisms to delegate credentials,
such as with Protocol Transitioning and Constrained Delegation in Windows
Server 2003. Everything else is pretty much insecure unless it does
something similar.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"RaziLevin" <RaziLevin@discussions.microsoft.com> wrote in message
news:D6F36A1A-FBD6-42B9-BBF6-AA87DF43C771@microsoft.com...
> Hello,
>
> I was wondering how I could implement pass through authentication. What I
> need is to be able to programmatically retrieve a users password so that I
> may pass that information along to another website.
> Request.ServerVariables("REMOTE_USER") will give me the username how can I
> get the password in ASP. If any more information is needed I will provide
> it.
>
> Razi
>

[ Post a follow-up to this message ]

David,

Thank you for the reply. I am using Basic Authentication protocol
behind a corporate firewall. The browser sends the password as a header
field. How can I access it? I have deployed third party software within
IIS that does do this.

Thanks

David Wang [Msft] wrote:[vbcol=seagreen]
> Only insecure protocols like Basic authentication will give you that
> behavior.
>
> Secure protocols never pass the user's password to the server, so you can
> never "look it up" nor implicitly delegate from that server to another
> server.
>
> I suggest you use secure protocols and mechanisms to delegate credentials,
> such as with Protocol Transitioning and Constrained Delegation in Windows
> Server 2003. Everything else is pretty much insecure unless it does
> something similar.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights
.
> //
>
> "RaziLevin" <RaziLevin@discussions.microsoft.com> wrote in message
> news:D6F36A1A-FBD6-42B9-BBF6-AA87DF43C771@microsoft.com... 

[ Post a follow-up to this message ]

use ssl

"RaziLevin" <RaziLevin@hotmail.com> wrote in message
news:1137171747.260119.225850@g44g2000cwa.googlegroups.com...
> David,
>
> Thank you for the reply. I am using Basic Authentication protocol
> behind a corporate firewall. The browser sends the password as a header
> field. How can I access it? I have deployed third party software within
> IIS that does do this.
>
> Thanks
>
> David Wang [Msft] wrote: 
>

[ Post a follow-up to this message ]

Security is not an issue for me.

[ Post a follow-up to this message ]

Are you sure the password is sent as a header -- because I am not aware of
any popular web browser that allows this unless you are running custom
client-side code.


If you are using Basic Authentication protocol in IIS you can trivially use
the AUTH_USER and AUTH_PASSWORD server variables to get what you want in
ASP. This is all documented on MSDN.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"RaziLevin" <RaziLevin@hotmail.com> wrote in message
news:1137171747.260119.225850@g44g2000cwa.googlegroups.com...
> David,
>
> Thank you for the reply. I am using Basic Authentication protocol
> behind a corporate firewall. The browser sends the password as a header
> field. How can I access it? I have deployed third party software within
> IIS that does do this.
>
> Thanks
>
> David Wang [Msft] wrote: 
>

[ Post a follow-up to this message ]

David,

Thank you very much. I think when you use BASIC AUTHENTICATION the
browser sends the pasword in a header obfuscated by BASE64 encoding. I
do not know if the client continues to send this password after the
client responds to a 401 response returned by the server.

Thanks Again
Razi

P.S Sometimes missing a peice of documentation is just as bad as asking
a stupid question.

[ Post a follow-up to this message ]

David,

Thank you very much. I think when you use BASIC AUTHENTICATION the
browser sends the pasword in a header obfuscated by BASE64 encoding. I
do not know if the client continues to send this password after the
client responds to a 401 response returned by the server.

Thanks Again
Razi

P.S Sometimes missing a peice of documentation is just as bad as asking
a stupid question.

[ Post a follow-up to this message ]

The browser will send over username:password for every single request that
requires Basic Authentication. HTTP is stateless so the fact the prior
request authenticated with basic is no indication that the next request
authenticated with basic.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"RaziLevin" <RaziLevin@hotmail.com> wrote in message
news:1137384464.394706.265970@g47g2000cwa.googlegroups.com...
> David,
>
> Thank you very much. I think when you use BASIC AUTHENTICATION the
> browser sends the pasword in a header obfuscated by BASE64 encoding. I
> do not know if the client continues to send this password after the
> client responds to a 401 response returned by the server.
>
> Thanks Again
> Razi
>
> P.S Sometimes missing a peice of documentation is just as bad as asking
> a stupid question.
>

[ Post a follow-up to this message ]